Many of the most publicized data breaches, including the June 2019 Desjardins data breach and the recent July 2019 Capital One hack, bear the signs of being an ‘inside job’ or having been done by a person closely familiarized with the company taking advantage of weak protections. Why do such people choose to hack and steal this personal information from financial institutions?
The obvious answer is the financial gains to be made. Personal information can be used to open bank accounts, take out credit, and gain access to someone else’s funds. To someone struggling with money, this can prove to be very enticing. However, the complete picture is often much more complex.
– a hacker with inside knowledge
For the Capital One data breach this week, the FBI were quick to arrest 33-year-old Paige Adele Thompson for the crime. Thompson had formerly been an employee at Amazon’s cloud division, which undoubtedly helped her exploit the vulnerabilities in Capital One’s cloud storage.
While part of the motive was financial, with Ms. Thompson admitting she had been living off her hacking exploits for the past months, Ms. Thompson has demonstrated a history of instability over the past few months online. She posted personal struggles often on Twitter, including struggles with homelessness. Employment details show her floating between jobs frequently until her current state of joblessness.
However, she still felt the need to boast about her exploits on various forms of social media, tweeting about her theft of personal information and how she as soon to become the subject of media attention.
The information currently circulating about Ms. Thompson paints a picture of an isolated and struggling person. Unfortunately, the end goal Ms. Thompson undertook was one of destruction rather than creation.
– an inside job
Other times, it is more difficult to understand the motivations behind an inside job. For the Desjardins breach, the public has heard little about the suspect in the breach, other than that he was an employee who has been subsequently fired, and that he was acting alone. The Quebec police are still busy building a case against him.
Given the nature of the crime, it is easy to imagine that the perpetrator was in it for the money. However, even if he was, Desjardins still could have done more to prevent it. Both Desjardins and Capital One demonstrated that they lacked the proper internal controls to prevent an internal actor from stealing personal information.
And, if a mentally and financially struggling employee were to notice this lapse in internal security, the theft of personal information quickly becomes an appealing target.
Compounding these issues is likely the lack of connection between many of the employees of a financial institution and the effects of using personal data. When you work every day handling data and accounts, it becomes easy to forget the real humans behind your work. A culture not focused on the client can foster feelings that it is acceptable to a be more loose with client finds, much like the notorious activities of certain wall street investment bankers before the 2011 mortgage crisis.
Ultimately, the mindset behind a hacker targeting financial institutions is hard to decipher. Many are motivated by a host of different means, many financial. Others are suffering from mental issues and have other factors clouding their judgement. However, the problem does also lie partly with financial institutions themselves. By implementing better checks and more secure systems, they can mitigate the damage that can be caused by rogue employees or bad hackers.